Hi Vincent, On 09/16/2010 10:01 AM, Vincent Massol wrote:
Hi Alex,
On Sep 15, 2010, at 8:00 PM, abusenius (SVN) wrote:
Author: abusenius Date: 2010-09-15 20:00:02 +0200 (Wed, 15 Sep 2010) New Revision: 31124
Modified: platform/xwiki-tools/trunk/xwiki-configuration-resources/src/main/resources/xwiki.properties.vm Log: XWIKI-5461: Added configuration for CSRF protection
Modified: platform/xwiki-tools/trunk/xwiki-configuration-resources/src/main/resources/xwiki.properties.vm =================================================================== --- platform/xwiki-tools/trunk/xwiki-configuration-resources/src/main/resources/xwiki.properties.vm 2010-09-15 17:59:36 UTC (rev 31123) +++ platform/xwiki-tools/trunk/xwiki-configuration-resources/src/main/resources/xwiki.properties.vm 2010-09-15 18:00:02 UTC (rev 31124) @@ -267,3 +267,23 @@ #crypto.passwd.keyDerivationFunctionPropertiesForPasswordVerification = millisecondsOfProcessorTimeToSpend = 200 #crypto.passwd.keyDerivationFunctionPropertiesForPasswordVerification = numberOfKilobytesOfMemoryToUse = 1024 #crypto.passwd.keyDerivationFunctionPropertiesForPasswordVerification = derivedKeyLength = 32 + +#------------------------------------------------------------------------------------- +# CSRF token component +#------------------------------------------------------------------------------------- + +#-# [Since 2.5M2] +#-# Controls whether secret token validation mechanism should be used (to prevent CSRF attacks). +#-# +#-# If enabled, all actions requiring "comment", "edit", "delete", "admin" or "programming" rights +#-# will check that the parameter "form_token" with the value of a random secret token is present +#-# in the request. +#-# This feature requires CSRFToken component.
I think we could remove this last sentence since the CSRFToken component is bundled with the platform and this message will probably confuse the user who's not going to know how to check if he has this component or not. It'll make him/her ask himself questions, which we don't want IMO.
Agree.
+#-# +#-# Valid values: +#-# 0: Disabled +#-# 1: Enabled +#-# +#-# Default value is 0 +# core.csrftoken.enabled = 0
I guess we're going to turn it on by default when the implementation is finished?
Yes, once all functional tests pass and everything appears to work. It might be a good idea to turn it on for 2.5-SNAPSHOT and turn it back off for the final release to make failing tests visible, but Hudson will be *very* noisy until then. Thanks, Alex
Thanks -Vincent _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs